administeringquick reference for administrators Trusted Extensionsquick reference to administration Solaris Trusted Extensions interfaces extend the Solaris OS. This appendix provides a quick reference of the differences. For a detailed list of interfaces, including library routines and system calls, see Appendix E, List of Trusted Extensions Man Pages. differencesadministrative interfaces in Trusted Extensions Trusted Extensions provides interfaces for its software. The following interfaces are available only when Trusted Extensions software is running:txzonemgr scriptProvides a menu-based wizard for creating, installing, initializing, and booting labeled zones. The title of the menu is Labeled Zone Manager. This script also provides menu items for networking options, name services options, and for clienting the global zone to an existing LDAP server. Trusted CDE actionsIn Trusted CDE, Workspace Menu –> Application Manager –> Trusted_Extensions contains CDE actions that configure files, install and boot zones, and simplify other Trusted Extensions tasks. For the tasks that these actions perform, see Trusted CDE Actions. Trusted CDE online help also describes these actions. Admin EditorThis trusted editor is used to edit system files. In Trusted CDE, Workspace Menu –> Application Manager –> Trusted_Extensions –> Admin Editor invokes the Admin Editor. In Trusted GNOME, the editor is invoked from the command line. You provide the file to be edited as the argument, as in:/usr/dt/bin/trusted_edit filename Device Allocation ManagerIn Trusted Extensions, this GUI is used to administer devices. The Device Administration dialog box is used by administrators to configure devices.The Device Allocation Manager is used by roles and regular users to allocate devices. The GUI is available from the Trusted Path menu. Label BuilderThis application is invoked when the user can choose a label or a clearance. This application also appears when a role assigns labels or label ranges to devices, zones, users, or roles. Selection ManagerThis application is invoked when an authorized user or authorized role attempts to upgrade or downgrade information. Trusted Path menuThis menu handles interactions with the trusted computing base (TCB). For example, this menu has a Change Password menu item. In Trusted CDE, you access the Trusted Path menu from the workspace switch area. In Trusted JDS, you access the Trusted Path menu by clicking the trusted symbol at the left of the trusted stripe. Administrative commandsTrusted Extensions provides commands to obtain labels and perform other tasks. For a list of the commands, see Command Line Tools in Trusted Extensions. differencesextending Solaris interfaces Trusted Extensions adds to existing Solaris configuration files, commands, and GUIs:Administrative commandsTrusted Extensions adds options to selected Solaris commands. For a list, see Table 8–5. Configuration filesTrusted Extensions adds two privileges, net_mac_aware and net_mlp. For the use of net_mac_aware, see Access to NFS Mounted Directories in Trusted Extensions.Trusted Extensions adds authorizations to the auth_attr database. For a list, see Additional Rights and Authorizations in Trusted Extensions in Solaris Trusted Extensions Transition Guide.Trusted Extensions adds executables, including CDE actions, to the exec_attr database.Trusted Extensions modifies existing rights profiles in the prof_attr database. It also adds profiles to the database.Trusted Extensions adds CDE actions to the executables that can be privileged in the exec_attr database.Trusted Extensions adds fields to the policy.conf database. For the fields, see policy.conf File Defaults in Trusted Extensions.Trusted Extensions adds audit tokens, audit events, audit classes, and audit policy options. For a list, see Trusted Extensions Audit Reference. Solaris Management ConsoleTrusted Extensions adds a Security Templates tool to the Computers and Networks tool set.Trusted Extensions adds a Trusted Network Zones tool to the Computers and Networks tool set.Trusted Extensions adds a Trusted Extensions Attributes tab to the Users tool and the Administrative Roles tool. Shared directories from zonesTrusted Extensions enables you to share directories from labeled zones. The directories are shared at the label of the zone by creating an /etc/dfs/dfstab file from the global zone. differencesdefaults in Trusted Extensions Trusted Extensions establishes tighter security defaults than the Solaris OS:AuditingBy default, auditing is enabled.An administrator can turn off auditing. However, auditing is typically required at sites that install Trusted Extensions. DevicesBy default, device allocation is enabled.By default, device allocation requires authorization. Therefore, by default, regular users cannot use removable media.An administrator can remove the authorization requirement. However, device allocation is typically required at sites that install Trusted Extensions. PrintingRegular users can print only to printers that include the user's label in the printer's label range.By default, printed output has trailer and banner pages. These pages, and the body pages, include the label of the print job.By default, users cannot print PostScript files. RolesRoles are available in the Solaris OS, but their use is optional. In Trusted Extensions, roles are required for proper administration.Making the root user a role is possible in the Solaris OS. In Trusted Extensions, the root user is made a role to better audit who is acting as superuser. differenceslimited options in Trusted Extensions Trusted Extensions narrows the range of Solaris configuration options:DesktopTrusted Extensions offers two desktops, the Solaris Trusted Extensions (CDE) and the Solaris Trusted Extensions (JDS). Naming serviceThe LDAP naming service is supported. All zones must be administered from one naming service. ZonesThe global zone is an administrative zone. Only the root user or a role can enter the global zone. Therefore, administrative interfaces that are available to regular Solaris users are not available to regular Trusted Extensions users. For example, in Trusted Extensions, users cannot bring up the Solaris Management Console.Non-global zones are labeled zones. Users work in labeled zones.All zones must be administered from one naming service.